Vswitch Port Security Summary

VswitchThe most commonPort SecurityYou can control and manage network traffic based on the MAC address. For example, you can bind a MAC address to a specific port to limit the number of MAC addresses that a specific port uses, or, the frame traffic of some MAC addresses cannot pass through the specific port. Port Security means you can control the network access traffic based on 802.1X.

I. Binding MAC addresses and ports and configuring traffic permitted according to MAC addresses

1. Bind the MAC address to the port

When the MAC address of the host is found to be different from the MAC address specified on the vswitch, the corresponding port of the vswitch is down. When you specify a MAC address for a port, the port mode must be in the access or Trunk status.

 
 

  
  
3550-1 # conf t
  
  
3550-1 (config) # int f0/1
  
  
3550-1 (config-if) # switchport mode access/Specify the port mode.
  
  
3550-1 (config-if) # switchport port-security mac-address 00-90-F5-10-79-C1/configure the MAC address.
  
  
3550-1 (config-if) # switchport port-security maximum 1/restrict the number of MAC addresses allowed by this port to 1.
  
  
3550-1 (config-if) # switchport port-security violation shutdown/when it is found that it is inconsistent with the above configuration, the port is down.
 
 

2. restrict port traffic through MAC addresses

This configuration allows a TRUNK port to pass up to 100 MAC addresses. When the port exceeds 100, data frames from the new host will be lost.

 
 

  
  
3550-1 # conf t
  
  
3550-1 (config) # int f0/1
  
  
3550-1 (config-if) # switchport trunk encapsulation dot1q
  
  
3550-1 (config-if) # switchport mode trunk/configure the port mode as TRUNK.
  
  
3550-1 (config-if) # switchport port-security maximum 100/the maximum number of MAC addresses allowed for this port is 100.
  
  
3550-1 (config-if) # switchport port-security violation protect/when the number of host MAC addresses exceeds 100, the switch continues to work, but data frames from new hosts will be lost.
 
 

2. Reject traffic based on the MAC address

The preceding configuration allows traffic based on the MAC address. The following configuration rejects traffic based on the MAC address.

This configuration can only filter unicast traffic in a Catalyst Switch, but is not valid for multicast traffic.

 
 

  
  
3550-1 # conf t
  
  
3550-1 (config) # mac-address-table static 00-90-F5-10-79-C1 vlan 2 drop/drops traffic on the corresponding Vlan.
  
  
3550-1 # conf t
  
  
3550-1 (config) # mac-address-table static 00-90-F5-10-79-C1 vlan 2 int f0/1/discard traffic on the corresponding interface.
 
 

3. Understand Port Security

When you configure the maximum number of secure mac addresses for a port, the security addresses are included in an address table as follows:

You can use the switchport-security mac-address <mac address> command to configure all mac addresses.

You can also allow dynamic configuration of secure mac addresses to use the mac addresses of connected devices.

You can configure the number of addresses and allow dynamic configuration.

Note:If this port is shut down, all dynamic mac addresses will be removed.

Once the maximum number of mac addresses is reached, the addresses are stored in an address table. Set the maximum number of mac addresses to 1, and configure the addresses connected to the device to ensure that the device exclusively occupies the bandwidth of this port.

Iv. Port Security Rules

A security violation occurs in the following situations:

A mac address outside the mac address table tries to access this port.

A website with a mac address configured as a secure mac address of another interface attempts to access this port.

5. Configure three violation modes of the interface

You can configure three violation modes of the interface based on the action after the violation occurs:

Protect-when the number of mac addresses reaches the maximum number allowed by this port, packets with unknown source addresses will be discarded until a sufficient number of mac addresses are deleted, before dropping the maximum value.

Restrict-a port security violation action that limits data and causes "security violation" counters.

Shutdown-a port security violation action that causes the interface to shut down immediately and send the SNMP Trap. When a security port is in the error-disable state, you must enter the global errdisable recovery cause recovery cure-violation command to restore the normal state, or you can manually run the shut command without the shut port. This is the default action for port security violations.

6. Default port security configuration

The following is the port security configuration under the interface:

Feature: port-sercurity: disabled by default.

Feature: default setting of the maximum number of secure mac addresses: 1

Feature: Default Configuration in violation mode: shutdown. This port will be shut down when the maximum number of secure mac addresses reaches, and the concurrent snmp Trap will occur.

7. Configure the port security Wizard:

Security ports cannot be configured on dynamic access ports or trunk ports. In other words, the port-secure must be followed by switch mode acc.

A Security Port cannot be a protected port.

The Security Port cannot be the destination address of SPAN.

The Security Port cannot belong to the GEC or FEC group.

The Security Port cannot belong to the 802.1x port. If you try to enable 802.1x on the Security Port, an error is reported and 802.1x is disabled. If you try to change the port with 802.1x enabled to a secure port, the error message will appear and the security settings will not change.

8. 802.1X related concepts and configurations

802.1X Authentication Protocol was originally used in wireless networks and later used on network devices such as common switches and routers. It can authenticate a user's identity based on a port. That is, when a user's data traffic attempts to pass the port configured with 802.1X protocol, authentication is required and valid, so that the user can access the network. The advantage of doing so is that you can authenticate Intranet users, simplify the configuration, and replace Windows AD to a certain extent.

To configure the 802.1X authentication protocol, you must first enable AAA authentication globally. This is not much different from using AAA authentication on network boundaries, except that the authentication protocol is 802.1X; next, you need to enable 802.1X authentication on the corresponding interface. We recommend that you enable 802.1X authentication on all ports and use the radius server to manage user names and passwords)

9. Configure the local user name and password used for AAA Authentication

 
 

  
  
3550-1 # conf t
  
  
3550-1 (config) # aaa new-model/enable AAA authentication.
  
  
3550-1 (config) # aaa authentication dot1x default local/enable 802.1X authentication globally and use the local user name and password.
  
  
3550-1 (config) # int range f0/1-24
  
  
3550-1 (config-if-range) # dot1x port-control auto/enable 802.1X authentication on all interfaces.
 
 

10. Summary of vswitch Port Security

The MAC address can be used to control network traffic either through the above configuration or through the access control list, for example, in Cata3550, you can use the access control list of 700-799 to filter MAC addresses. However, using the access control list to control traffic is troublesome, and it seems that it is rarely used. I will not discuss it here.

Although MAC Address binding can ensure Intranet security to some extent, the effect is not very good. We recommend that you use 802.1X authentication protocol. 802.1X is a good choice for controllability and manageability.